Stefan G. Weichinger
2015-Dec-29 17:30 UTC
[Samba] samba4 as ADS member: some users visible, others not
Am 2015-12-29 um 18:05 schrieb Rowland penny:> On 29/12/15 16:32, Stefan G. Weichinger wrote: >> I have to add a brand new fedora 23 server with samba 4.3.3 to an >> existing Windows ADS domain. >> >> The join is OK: >> >> # net ads testjoin >> Join is OK >> >> I use winbind as I still have to learn about sssd (and I am unsure which >> one to prefer). >> >> config (workgroup and realm edited): >> >> [global] >> workgroup = customer >> realm = my.customer >> server string >> security = ADS >> map to guest = Bad User >> username map = /etc/samba/smbusers >> map untrusted to domain = Yes >> load printers = No >> printcap name = /dev/null >> disable spoolss = Yes >> template shell = /bin/bash >> winbind enum users = Yes >> winbind enum groups = Yes >> winbind use default domain = Yes >> winbind nss info = rfc2307 >> idmap config customer:range = 10000-999999 >> idmap config customer:schema_mode = rfc2307 >> idmap config customer:backend = ad >> idmap config *:range = 2000-9999 >> idmap config * : backend = tdb >> force create mode = 0664 >> force directory mode = 0775 >> printing = bsd >> level2 oplocks = No >> >> --- >> >> issues: >> >> wbinfo -u >> wbinfo -g list all users and groups from ADS >> >> getent passwd only gives me around 20 users from ADS ... >> >> -> some users get access to shares, some not! >> >> I assume this has to do with "idmap config customer:range" ? >> >> How to determine the values of the max ids? >> >> Do I have to "reset" some mappings after changing this parameter? >> >> What else to check for? >> >> thanks for any help on this, Stefan >> > > The only mappings you should have, are the ones for the 'builtin' users > & groups, all the others should have a uidNumber or gidNumber attribute > in AD, these should be between '10000-999999' > I would also recommend you remove these lines: > > force create mode = 0664 > force directory mode = 0775I agree, sure.> They really only belong in a share, but you should be using Posix ACLs > anyway. > > If a user isn't shown by getent, then they are unknown to the OS and > will not be able to access shares unless the share also allows guest > access.So I understand you suggest to use this instead ? -> [global] workgroup = CUSTOMER realm = MY.CUSTOMER server string security = ADS map to guest = Bad User username map = /etc/samba/smbusers map untrusted to domain = Yes load printers = No printcap name = /dev/null disable spoolss = Yes template shell = /bin/bash winbind enum users = Yes winbind enum groups = Yes winbind use default domain = Yes winbind nss info = rfc2307 idmap config *:range = 2000-9999 idmap config * : backend = tdb printing = bsd level2 oplocks = No I will test later as there are some users working (early evening here) ... thanks! Stefan
Rowland penny
2015-Dec-29 17:59 UTC
[Samba] samba4 as ADS member: some users visible, others not
On 29/12/15 17:30, Stefan G. Weichinger wrote:> Am 2015-12-29 um 18:05 schrieb Rowland penny: >> On 29/12/15 16:32, Stefan G. Weichinger wrote: >>> I have to add a brand new fedora 23 server with samba 4.3.3 to an >>> existing Windows ADS domain. >>> >>> The join is OK: >>> >>> # net ads testjoin >>> Join is OK >>> >>> I use winbind as I still have to learn about sssd (and I am unsure which >>> one to prefer). >>> >>> config (workgroup and realm edited): >>> >>> [global] >>> workgroup = customer >>> realm = my.customer >>> server string >>> security = ADS >>> map to guest = Bad User >>> username map = /etc/samba/smbusers >>> map untrusted to domain = Yes >>> load printers = No >>> printcap name = /dev/null >>> disable spoolss = Yes >>> template shell = /bin/bash >>> winbind enum users = Yes >>> winbind enum groups = Yes >>> winbind use default domain = Yes >>> winbind nss info = rfc2307 >>> idmap config customer:range = 10000-999999 >>> idmap config customer:schema_mode = rfc2307 >>> idmap config customer:backend = ad >>> idmap config *:range = 2000-9999 >>> idmap config * : backend = tdb >>> force create mode = 0664 >>> force directory mode = 0775 >>> printing = bsd >>> level2 oplocks = No >>> >>> --- >>> >>> issues: >>> >>> wbinfo -u >>> wbinfo -g list all users and groups from ADS >>> >>> getent passwd only gives me around 20 users from ADS ... >>> >>> -> some users get access to shares, some not! >>> >>> I assume this has to do with "idmap config customer:range" ? >>> >>> How to determine the values of the max ids? >>> >>> Do I have to "reset" some mappings after changing this parameter? >>> >>> What else to check for? >>> >>> thanks for any help on this, Stefan >>> >> The only mappings you should have, are the ones for the 'builtin' users >> & groups, all the others should have a uidNumber or gidNumber attribute >> in AD, these should be between '10000-999999' >> I would also recommend you remove these lines: >> >> force create mode = 0664 >> force directory mode = 0775 > I agree, sure. > >> They really only belong in a share, but you should be using Posix ACLs >> anyway. >> >> If a user isn't shown by getent, then they are unknown to the OS and >> will not be able to access shares unless the share also allows guest >> access. > So I understand you suggest to use this instead ? > > -> > > [global] > workgroup = CUSTOMER > realm = MY.CUSTOMER > server string > security = ADS > map to guest = Bad User > username map = /etc/samba/smbusers > map untrusted to domain = Yes > load printers = No > printcap name = /dev/null > disable spoolss = Yes > template shell = /bin/bash > winbind enum users = Yes > winbind enum groups = Yes > winbind use default domain = Yes > winbind nss info = rfc2307 > idmap config *:range = 2000-9999 > idmap config * : backend = tdb > printing = bsd > level2 oplocks = No > > I will test later as there are some users working (early evening here) ... > > thanks! Stefan >NO! This will give you precisely 0 users config * == the range the 'builtin' users will be mapped to. config customer == the range for all the domain users that have a uidNumber attribute. If a user doesn't have a uidNumber attribute containing a number inside the range set in smb.conf (in your case 10000-999999) it will be ignored, the user will also be ignored if it doesn't have a uidNumber attribute. There is also another gotchya, the 'Domain Users' group *must* have a gidNumber attribute inside the range, or all users will be ignored even if they have a uidNumber attribute. This all boils down to, have you manually given your users & groups the required uidNumber & gidNumber attributes ? they are not added automatically, they must be added manually. Rowland
Stefan G. Weichinger
2015-Dec-29 18:16 UTC
[Samba] samba4 as ADS member: some users visible, others not
in the same ADS I have another member server with Samba-3.6.25 [global] workgroup = CUSTOMER realm = MY.CUSTOMER server string = backup security = ADS map to guest = Bad User printcap name = /dev/null os level = 65 winbind enum users = Yes winbind enum groups = Yes winbind use default domain = Yes idmap config * : range = 1000-29999 idmap config * : backend = tdb # nsswitch.conf passwd: compat winbind shadow: compat group: compat winbind this one gives me all users with "getent passwd" ! For the 4.x server I now tried: [global] workgroup = CUSTOMER realm = MY.CUSTOMER server string security = ADS map to guest = Bad User username map = /etc/samba/smbusers map untrusted to domain = Yes load printers = No printcap name = /dev/null disable spoolss = Yes template shell = /bin/bash winbind enum users = Yes winbind enum groups = Yes winbind use default domain = Yes idmap config * : range = 1000-29999 idmap config * : backend = tdb printing = bsd level2 oplocks = No And now it works here as well! We will see if it stays this way ;-) Thanks, Stefan
Stefan G. Weichinger
2015-Dec-30 09:40 UTC
[Samba] samba4 as ADS member: some users visible, others not
Am 2015-12-29 um 18:59 schrieb Rowland penny:> NO! This will give you precisely 0 users > > config * == the range the 'builtin' users will be mapped to. > config customer == the range for all the domain users that have a > uidNumber attribute. If a user doesn't have a uidNumber attribute > containing a number inside the range set in smb.conf (in your case > 10000-999999) it will be ignored, the user will also be ignored if it > doesn't have a uidNumber attribute. There is also another gotchya, the > 'Domain Users' group *must* have a gidNumber attribute inside the range, > or all users will be ignored even if they have a uidNumber attribute. > > This all boils down to, have you manually given your users & groups the > required uidNumber & gidNumber attributes ? they are not added > automatically, they must be added manually.Thanks a lot for that explanation. I read it after it started working here yesterday so excuse my late reply. I never understood it the way you described it above, this would have helped me with other servers earlier as well. thanks, Stefan
Apparently Analagous Threads
- samba4 as ADS member: some users visible, others not
- samba4 as ADS member: some users visible, others not
- samba4 as ADS member: some users visible, others not
- samba4 as ADS member: some users visible, others not
- samba4 as ADS member: some users visible, others not